Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    To Default Reject Or Block That is the Question.

    Scheduled Pinned Locked Moved Firewalling
    stealthscanrejectblockdefault deny
    5 Posts 4 Posters 72 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JonathanLeeJ
      JonathanLee
      last edited by JonathanLee

      Hello fellow Netgate Community members,

      I wanted to share this with you incase you ever asked the question what the difference its between block or reject...

      Screenshot 2025-07-07 at 18.39.34.png

      This is a result of a default block all on WAN interface

      Screenshot 2025-07-07 at 18.40.13.png

      Versus Reject....

      Screenshot 2025-07-07 at 18.41.30.png
      If set to reject ....
      Screenshot 2025-07-07 at 18.43.36.png
      EPIC FAIL!!!!

      Screenshot 2025-07-07 at 18.43.11.png

      Why it matters because it provides a response thus it's not stealthy.

      Ref: https://www.grc.com/

      Make sure to upvote

      fireodoF johnpozJ JKnottJ 3 Replies Last reply Reply Quote 0
      • fireodoF
        fireodo @JonathanLee
        last edited by

        @JonathanLee said in To Default Reject Or Block That is the Question.:

        Why it matters because it provides a response thus it's not stealthy.

        I think that is normal: when a rule blocks, the packets are silently discarded but when reject the other part gets an answer that the request was rejected IMHO. But in both cases the firewall is closed.

        Kettop Mi4300YL CPU: i5-4300Y @ 1.60GHz RAM: 8GB Ethernet Ports: 4
        SSD: SanDisk pSSD-S2 16GB (ZFS) WiFi: WLE200NX
        pfsense 2.8.0 CE
        Packages: Apcupsd, Cron, Iftop, Iperf, LCDproc, Nmap, pfBlockerNG, RRD_Summary, Shellcmd, Snort, Speedtest, System_Patches.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator @JonathanLee
          last edited by johnpoz

          @JonathanLee said in To Default Reject Or Block That is the Question.:

          Why it matters because it provides a response thus it's not stealthy.

          The problem is not that its not "stealthy" - the problem is you would be sending a reject for all the noise hitting your wan.. Reject on a wan interface is almost never a good idea. The only time it makes sense is if you want a reject sent - say to allow traceroute answer from that hop or something.. Why would you want to make your firewall work harder, and use bandwidth to send rejects to noise?

          Also placing a block on your wan, unless with use of other rules, or wanting to specific log or not log something seems a bit pointless - since the default deny will drop any traffic that not specifically allowed anyway.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          fireodoF 1 Reply Last reply Reply Quote 2
          • fireodoF
            fireodo @johnpoz
            last edited by

            @johnpoz said in To Default Reject Or Block That is the Question.:

            Reject on a wan interface is almost never a good idea.

            That is correct.

            Kettop Mi4300YL CPU: i5-4300Y @ 1.60GHz RAM: 8GB Ethernet Ports: 4
            SSD: SanDisk pSSD-S2 16GB (ZFS) WiFi: WLE200NX
            pfsense 2.8.0 CE
            Packages: Apcupsd, Cron, Iftop, Iperf, LCDproc, Nmap, pfBlockerNG, RRD_Summary, Shellcmd, Snort, Speedtest, System_Patches.

            1 Reply Last reply Reply Quote 0
            • JKnottJ
              JKnott @JonathanLee
              last edited by

              @JonathanLee said in To Default Reject Or Block That is the Question.:

              I wanted to share this with you incase you ever asked the question what the difference its between block or reject...

              A block just drops the packet, without any other response. A reject sends an ICMP message back advising why. You want to use block on the WAN, so that the attacker has no confirmation there's something there. Use reject on the LAN, so that an issue can be identified.

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              1 Reply Last reply Reply Quote 1
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.